From 4d0f57882e08ec21cb2c937fa0ad39f782e18ea8 Mon Sep 17 00:00:00 2001
From: Mickael CORNIERE <mickael.corniere@softathome.com>
Date: Tue, 21 Nov 2023 10:17:06 +0100
Subject: [PATCH 1/2] Add parameter to add server_tls_policy (for mTLS)

---
 modules/serverless_negs/main.tf      | 1 +
 modules/serverless_negs/variables.tf | 7 +++++++
 2 files changed, 8 insertions(+)

diff --git a/modules/serverless_negs/main.tf b/modules/serverless_negs/main.tf
index fe42890f..f620cf1a 100644
--- a/modules/serverless_negs/main.tf
+++ b/modules/serverless_negs/main.tf
@@ -120,6 +120,7 @@ resource "google_compute_target_https_proxy" "default" {
   certificate_map  = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null
   ssl_policy       = var.ssl_policy
   quic_override    = var.quic == null ? "NONE" : var.quic ? "ENABLE" : "DISABLE"
+  server_tls_policy = var.server_tls_policy
 }
 
 resource "google_compute_ssl_certificate" "default" {
diff --git a/modules/serverless_negs/variables.tf b/modules/serverless_negs/variables.tf
index 59a56b3e..40f8e141 100644
--- a/modules/serverless_negs/variables.tf
+++ b/modules/serverless_negs/variables.tf
@@ -245,3 +245,10 @@ variable "network" {
   type        = string
   default     = "default"
 }
+
+
+variable "server_tls_policy" {
+  description = "The resource URL for the server TLS policy to associate with the https proxy service"
+  type        = string
+  default     = null
+}

From 464946b61a9de73cb61e06fa9ec5589642c8c024 Mon Sep 17 00:00:00 2001
From: Mickael CORNIERE <mickael.corniere@softathome.com>
Date: Mon, 27 Nov 2023 11:26:55 +0100
Subject: [PATCH 2/2] Add server_tls_policy in the template and generate all
 files

---
 README.md                             | 1 +
 autogen/main.tf.tmpl                  | 1 +
 autogen/variables.tf.tmpl             | 6 ++++++
 main.tf                               | 9 +++++----
 modules/dynamic_backends/README.md    | 1 +
 modules/dynamic_backends/main.tf      | 9 +++++----
 modules/dynamic_backends/variables.tf | 6 ++++++
 modules/serverless_negs/README.md     | 1 +
 modules/serverless_negs/main.tf       | 8 ++++----
 modules/serverless_negs/variables.tf  | 1 -
 variables.tf                          | 6 ++++++
 11 files changed, 36 insertions(+), 13 deletions(-)

diff --git a/README.md b/README.md
index ce901a2d..19ce1274 100644
--- a/README.md
+++ b/README.md
@@ -118,6 +118,7 @@ module "gce-lb-http" {
 | quic | Specifies the QUIC override policy for this resource. Set true to enable HTTP/3 and Google QUIC support, false to disable both. Defaults to null which enables support for HTTP/3 only. | `bool` | `null` | no |
 | random\_certificate\_suffix | Bool to enable/disable random certificate name generation. Set and keep this to true if you need to change the SSL cert. | `bool` | `false` | no |
 | security\_policy | The resource URL for the security policy to associate with the backend service | `string` | `null` | no |
+| server\_tls\_policy | The resource URL for the server TLS policy to associate with the https proxy service | `string` | `null` | no |
 | ssl | Set to `true` to enable SSL support. If `true` then at least one of these are required: 1) `ssl_certificates` OR 2) `create_ssl_certificate` set to `true` and `private_key/certificate` OR  3) `managed_ssl_certificate_domains`, OR 4) `certificate_map` | `bool` | `false` | no |
 | ssl\_certificates | SSL cert self\_link list. Requires `ssl` to be set to `true` | `list(string)` | `[]` | no |
 | ssl\_policy | Selfink to SSL Policy | `string` | `null` | no |
diff --git a/autogen/main.tf.tmpl b/autogen/main.tf.tmpl
index ca4984ab..a46c9989 100644
--- a/autogen/main.tf.tmpl
+++ b/autogen/main.tf.tmpl
@@ -123,6 +123,7 @@ resource "google_compute_target_https_proxy" "default" {
   certificate_map  = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null
   ssl_policy       = var.ssl_policy
   quic_override    = var.quic == null ? "NONE" : var.quic ? "ENABLE" : "DISABLE"
+  server_tls_policy = var.server_tls_policy
 }
 
 resource "google_compute_ssl_certificate" "default" {
diff --git a/autogen/variables.tf.tmpl b/autogen/variables.tf.tmpl
index f41b8099..b6170765 100644
--- a/autogen/variables.tf.tmpl
+++ b/autogen/variables.tf.tmpl
@@ -310,3 +310,9 @@ variable "network" {
   type        = string
   default     = "default"
 }
+
+variable "server_tls_policy" {
+  description = "The resource URL for the server TLS policy to associate with the https proxy service"
+  type        = string
+  default     = null
+}
diff --git a/main.tf b/main.tf
index f4ca0f37..574482dc 100644
--- a/main.tf
+++ b/main.tf
@@ -117,10 +117,11 @@ resource "google_compute_target_https_proxy" "default" {
   name    = "${var.name}-https-proxy"
   url_map = local.url_map
 
-  ssl_certificates = compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link, google_compute_managed_ssl_certificate.default.*.self_link, ), )
-  certificate_map  = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null
-  ssl_policy       = var.ssl_policy
-  quic_override    = var.quic == null ? "NONE" : var.quic ? "ENABLE" : "DISABLE"
+  ssl_certificates  = compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link, google_compute_managed_ssl_certificate.default.*.self_link, ), )
+  certificate_map   = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null
+  ssl_policy        = var.ssl_policy
+  quic_override     = var.quic == null ? "NONE" : var.quic ? "ENABLE" : "DISABLE"
+  server_tls_policy = var.server_tls_policy
 }
 
 resource "google_compute_ssl_certificate" "default" {
diff --git a/modules/dynamic_backends/README.md b/modules/dynamic_backends/README.md
index fc9c8b3d..1d209464 100644
--- a/modules/dynamic_backends/README.md
+++ b/modules/dynamic_backends/README.md
@@ -111,6 +111,7 @@ module "gce-lb-http" {
 | quic | Specifies the QUIC override policy for this resource. Set true to enable HTTP/3 and Google QUIC support, false to disable both. Defaults to null which enables support for HTTP/3 only. | `bool` | `null` | no |
 | random\_certificate\_suffix | Bool to enable/disable random certificate name generation. Set and keep this to true if you need to change the SSL cert. | `bool` | `false` | no |
 | security\_policy | The resource URL for the security policy to associate with the backend service | `string` | `null` | no |
+| server\_tls\_policy | The resource URL for the server TLS policy to associate with the https proxy service | `string` | `null` | no |
 | ssl | Set to `true` to enable SSL support. If `true` then at least one of these are required: 1) `ssl_certificates` OR 2) `create_ssl_certificate` set to `true` and `private_key/certificate` OR  3) `managed_ssl_certificate_domains`, OR 4) `certificate_map` | `bool` | `false` | no |
 | ssl\_certificates | SSL cert self\_link list. Requires `ssl` to be set to `true` | `list(string)` | `[]` | no |
 | ssl\_policy | Selfink to SSL Policy | `string` | `null` | no |
diff --git a/modules/dynamic_backends/main.tf b/modules/dynamic_backends/main.tf
index 5fb43ee8..3d3fbc7e 100644
--- a/modules/dynamic_backends/main.tf
+++ b/modules/dynamic_backends/main.tf
@@ -117,10 +117,11 @@ resource "google_compute_target_https_proxy" "default" {
   name    = "${var.name}-https-proxy"
   url_map = local.url_map
 
-  ssl_certificates = compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link, google_compute_managed_ssl_certificate.default.*.self_link, ), )
-  certificate_map  = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null
-  ssl_policy       = var.ssl_policy
-  quic_override    = var.quic == null ? "NONE" : var.quic ? "ENABLE" : "DISABLE"
+  ssl_certificates  = compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link, google_compute_managed_ssl_certificate.default.*.self_link, ), )
+  certificate_map   = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null
+  ssl_policy        = var.ssl_policy
+  quic_override     = var.quic == null ? "NONE" : var.quic ? "ENABLE" : "DISABLE"
+  server_tls_policy = var.server_tls_policy
 }
 
 resource "google_compute_ssl_certificate" "default" {
diff --git a/modules/dynamic_backends/variables.tf b/modules/dynamic_backends/variables.tf
index a44ca32e..296295c6 100644
--- a/modules/dynamic_backends/variables.tf
+++ b/modules/dynamic_backends/variables.tf
@@ -297,3 +297,9 @@ variable "network" {
   type        = string
   default     = "default"
 }
+
+variable "server_tls_policy" {
+  description = "The resource URL for the server TLS policy to associate with the https proxy service"
+  type        = string
+  default     = null
+}
diff --git a/modules/serverless_negs/README.md b/modules/serverless_negs/README.md
index c31074a2..29cb354a 100644
--- a/modules/serverless_negs/README.md
+++ b/modules/serverless_negs/README.md
@@ -94,6 +94,7 @@ module "lb-http" {
 | quic | Specifies the QUIC override policy for this resource. Set true to enable HTTP/3 and Google QUIC support, false to disable both. Defaults to null which enables support for HTTP/3 only. | `bool` | `null` | no |
 | random\_certificate\_suffix | Bool to enable/disable random certificate name generation. Set and keep this to true if you need to change the SSL cert. | `bool` | `false` | no |
 | security\_policy | The resource URL for the security policy to associate with the backend service | `string` | `null` | no |
+| server\_tls\_policy | The resource URL for the server TLS policy to associate with the https proxy service | `string` | `null` | no |
 | ssl | Set to `true` to enable SSL support. If `true` then at least one of these are required: 1) `ssl_certificates` OR 2) `create_ssl_certificate` set to `true` and `private_key/certificate` OR  3) `managed_ssl_certificate_domains`, OR 4) `certificate_map` | `bool` | `false` | no |
 | ssl\_certificates | SSL cert self\_link list. Requires `ssl` to be set to `true` | `list(string)` | `[]` | no |
 | ssl\_policy | Selfink to SSL Policy | `string` | `null` | no |
diff --git a/modules/serverless_negs/main.tf b/modules/serverless_negs/main.tf
index 3ca97b32..dd650517 100644
--- a/modules/serverless_negs/main.tf
+++ b/modules/serverless_negs/main.tf
@@ -116,10 +116,10 @@ resource "google_compute_target_https_proxy" "default" {
   name    = "${var.name}-https-proxy"
   url_map = local.url_map
 
-  ssl_certificates = compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link, google_compute_managed_ssl_certificate.default.*.self_link, ), )
-  certificate_map  = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null
-  ssl_policy       = var.ssl_policy
-  quic_override    = var.quic == null ? "NONE" : var.quic ? "ENABLE" : "DISABLE"
+  ssl_certificates  = compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link, google_compute_managed_ssl_certificate.default.*.self_link, ), )
+  certificate_map   = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null
+  ssl_policy        = var.ssl_policy
+  quic_override     = var.quic == null ? "NONE" : var.quic ? "ENABLE" : "DISABLE"
   server_tls_policy = var.server_tls_policy
 }
 
diff --git a/modules/serverless_negs/variables.tf b/modules/serverless_negs/variables.tf
index b94700e7..765bdbd3 100644
--- a/modules/serverless_negs/variables.tf
+++ b/modules/serverless_negs/variables.tf
@@ -247,7 +247,6 @@ variable "network" {
   default     = "default"
 }
 
-
 variable "server_tls_policy" {
   description = "The resource URL for the server TLS policy to associate with the https proxy service"
   type        = string
diff --git a/variables.tf b/variables.tf
index a44ca32e..296295c6 100644
--- a/variables.tf
+++ b/variables.tf
@@ -297,3 +297,9 @@ variable "network" {
   type        = string
   default     = "default"
 }
+
+variable "server_tls_policy" {
+  description = "The resource URL for the server TLS policy to associate with the https proxy service"
+  type        = string
+  default     = null
+}